Positive impact of an SSG

[SMigues at cigital.com (Sammy Migues)]

Hi all,

I've received some private questions about the 110 activities in BSIMM (bsi-mm.com). Since we built the model directly 
from the data gathered, each activity is actually being done in one of the nine organizations interviewed. The question 
is whether there's any evidence the activities are actually effective as opposed to simply being done.

Since we can't publish any private data, I'd like to point folks at this recent article in Information Security 
Magazine. Jim Routh, CISO of DTCC (one of the nine organizations interviewed), is quoted as follows relative to the 
impact of software security group activities:

http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1346974,00.html 

"One of Routh's big wins is inserting security controls early into software development lifecycle at the DTCC. 
Vulnerabilities are weeded out well before they appear in functional code that ends up in production and that has 
resulted in close to $2 million in productivity gains on a base of $150 million spend for development, Routh says.

"Those gains are exclusively the result of having mature and effective controls within our system and software 
development lifecycle," Routh says. This is a three-year-old initiative that educates and certifies developers in all 
DTCC environments in security. Developers are also provided with the necessary code-scanning tools and consulting and 
services help to keep production code close to pristine."

--Sammy.

Sammy Migues
Principal, Technology
703.404.5830 - http://www.cigital.com
Software confidence. Achieved.
smigues at cigital.com